Could not verify token signature.

[REQUIRED] Step 2: Describe your environment

Operating System version: Windows 10 1903
Library version: 4.2.0
Firebase Product: auth

[REQUIRED] Step 3: Describe the problem

I am developping a Flutter app inwhich I have a Facebook Sign In flow, then I authenticate the user on Firebase. In my backend code, I am using firebase_admin to authorize client calls, validating the tokens against firebase.

The mobile part is working fine and I was able to get the ID token once the firebase authentication flow succeeded. When I send the ID token to my backend to perform the token verification, it failes with the following stracktrace:

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\auth.py in verify_id_token(id_token, app, check_revoked)
    192     """
    193     client = _get_client(app)
--> 194     return client.verify_id_token(id_token, check_revoked=check_revoked)
    195
    196

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_auth_client.py in verify_id_token(self, id_token, check_revoked)
    100                              ' bool, but given "{0}".'.format(type(check_revoked)))
    101
--> 102         verified_claims = self._token_verifier.verify_id_token(id_token)
    103         if self.tenant_id:
    104             token_tenant_id = verified_claims.get('firebase', {}).get('tenant')

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_token_gen.py in verify_id_token(self, id_token)
    236
    237     def verify_id_token(self, id_token):
--> 238         return self.id_token_verifier.verify(id_token, self.request)
    239
    240     def verify_session_cookie(self, cookie):

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_token_gen.py in verify(self, token, request)
    342             if 'Token expired' in str(error):
    343                 raise self._expired_token_error(str(error), cause=error)
--> 344             raise self._invalid_token_error(str(error), cause=error)
    345
    346     def _decode_unverified(self, token):

InvalidIdTokenError: Could not verify token signature.

Steps to reproduce:

I created a simple snippet that allows me to test the problem:

>>> import firebase_admin
>>> from firebase_admin import auth as firebase_auth
>>> credentials = firebase_admin.credentials.Certificate('service_account.json')
>>> firebase = firebase_admin.initialize_app(credentials)
>>> id_token = "..."  # Extracted from my client code after firebase authentication succeeded
>>> firebase_auth.verify_id_token(id_token)

Relevant Code:

Digging a bit deeper, I found out the the verification is failing in the pkcs1.py file:

def verify(message, signature, pub_key):
    ...
    method_name = _find_method_hash(clearsig)

The method _find_method_hash() above tries to look for byte sequence specific to hashing algos using the following definition:

HASH_ASN1 = {
    'MD5': b'\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10', 
    'SHA-1': b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14', 
    'SHA-224': b'\x30\x2d\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04\x05\x00\x04\x1c', 
    'SHA-256': b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20', 
    'SHA-384': b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30', 
    'SHA-512': b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40', 
}

and none of them matches the signature of the idToken I sent.

Let me know how can I help further.

Thanks!

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:17 (9 by maintainers)

Top GitHub Comments

9reactions

mbtodorovcommented, May 14, 2020

I had an epiphany just now.

When running Flutter from Android Studio, there is a hard limit on the number of characters that will be printed to stdout, with no indication that a truncation has occurred (as you can see the token doesn’t end on … or something to indicate that are characters omitted). When I get the full token it’s all working as expected.

I can’t believe how many hours of debugging I’ve spent on this… only to realize that there is no problem at all.

As a rule of thumb: don’t rely on flutter print statements.

I guess this issue is not meant to at all be part of this repository. Thanks for your help regardless guys!

6reactions

pin-yucommented, Aug 16, 2021

Hey guys, we could get the complete token string by using log() method.

In my case, debugPrint(idToken) can only print 1014 characters of my token string. log(idToken) print 1146 characters which is a complete token string.

Top Results From Across the Web

Unable to verify token signature. The signing key identifier ...

Unable to verify token signature. The signing key identifier does not match any valid registered keys. getting this below error for all new ......

Sign-In Error 5000811 — Unable to verify token signature. The ...

Sign-in error code 5000811 Unable to verify token signature. The signing key identifier does not match any valid registered keys. On the ...

Firebase: Failed to verify the signature of Firebase ID token

When I try to verify the Firebase jwt token in my Spring Boot backend application, I get the following error: Failed to verify...

Validate JSON Web Tokens - Auth0

Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn't compromised and the signature...

Verify the Google ID token on your server side | Authentication

The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature....